WGU, Information Security and Assurance (C725), SET I

WGU, Information Security and Assurance (C725), SET I Information security is primarily a discipline to manage the behavior of . A. Technology B. People C. Processes D. Organizations People Careers in information security are booming because of which of the following factors? A. Threats of cyberterrorism B. Government regulations C. Growth of the Internet D. All of these All of these A program for information security should include which of the following elements? A. Security policies and procedures B. Intentional attacks only C. Unintentional attacks only D. None of these Security policies and proceduresExplanation: Answer A is correct. The Carnegie Melon Information Network Institute (INI) designed programs to carry out multiple tasks including Information Security Policies. The growing demand for InfoSec specialists is occurring predominantly in which of the following types of organizations? A. Government B. Corporations C. Not-for-profit foundations D. All of these D. All of these The concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. Confidentiality A catchall safe rating for any box with a lock on it. This rating describes the thickness of the steel used to make the lockbox. No actual testing is performed to gain this rating. B-Rate Safe Rating This safe rating is defined as a variably thick steel box with a 1-inch-thick door and a lock. No tests are conducted to provide this rating, either. C-Rate Safe Rating Safes with an Underwriters Laboratory rating that have passed standardized tests as defined in Underwriters Laboratory Standard 687 using tools and an expert group of safe-testing engineers. The safe rating label requires that the safe be constructed of 1-inch solid steel or equivalent. The label means that the safe has been tested for a net working time of 15 minutes using "common hand tools, drills, punches hammers, and pressure applying devices." Net working time means that when the tool comes off the safe, the clock stops. Engineers exercise more than 50 different types of attacks that have proven effective for safecracking. UL TL-15 Safe Rating This Underwriters Laboratory rating testing is essentially the same as the TL-15 testing, except for the net working time. Testers get 30 minutes and a few more tools to help them gain access. Testing engineers usually have a safe's manufacturing blueprints and can disassemble the safe before the test begins to see how it works. UL TL-30 Safe Rating Related to information security, confidentiality is the opposite of which of the following? A. Closure B. Disclosure C. Disaster D. Disposal B. Disclosure Explanation: Confidentiality models are primarily intended to ensure that no unauthorized access to information is permitted and that accidental disclosure of sensitive information is not possible. Integrity models have which of the three goals: A. Prevent unauthorized users from making modifications to data or programs B. Prevent authorized users from making improper or unauthorized modifications C. Maintain internal and external consistency of data and programs D. All of these D. All of these Explanation: Integrity models keep data pure and trustworthy by protecting system data from intentional or accidental changes. Information security professionals usually address which of these three common challenges to availability: A. Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered) B. Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes) C. Equipment failures during normal use. D. All of these D. All of theseExplanation:Availability models keep data and resources available for authorized use, especially during emergencies or disasters. Which of the following represents the three goals of information security? A. Confidentiality, integrity, and availability B. Prevention, detection, and response C. People controls, process controls, and technology controls D. Network security, PC security, and mainframe security A. Confidentiality, integrity, and availabilityExplanation:These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs. Usually a documented argument or stated position in order to define a need to make a decision or take some form of action. Business Case A type of security management planning where upper, or senior, management is responsible for initiating and defining policies for the organization. Top-down approach A type of security management planning where IT staff makes security decisions directly without input from senior management. This approach is rarely used in organizations and is considered problematic in the IT industry. Bottom-up approach This security plan is a long-term plan that is fairly stable. It defines the organization's security purpose. It also helps to understand security function and align it to the goals, mission, and objectives of the organization. It's useful for about five years if it is maintained and updated annually. This plan also serves as the planning horizon. Long-term goals and visions for the future are discussed this plan. Thisplan should include a risk assessment. Strategic Plan This security plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events. This plan is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals. Some examples of these plans are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans. Tactical Plan This security plan is a short-term, highly detailed plan based on the strategic and tactical plans. It is valid or useful only for a short time. These plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans. These plans spell out how to accomplish the various goals of the organization. They include resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures. These plans include details on how the implementation processes are in compliance with the organization's security policy. Examples of these plans are training plans, system deployment plans, and product design plans. Operational Plan Also called classification, the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. It is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities. Data classification Top secret, Secret, Confidential, Sensitive but unclassified, Unclassified. Five levels of government/military classification The highest level of government/military data classification. The unauthorized disclosure of top-secret data will have drastic effects and cause grave damage to national security. This data is compartmentalized on a need-to-know basis such that a user could have this clearance and have access to no data until the user has a need to know. Top Secret This level of government/military data classification is used for data of a restricted nature. The unauthorized disclosure of data classified as secret will have significant effects and cause critical damage to national security. Secret This level of government/military data classification is used for data of a sensitive, proprietary, or highly valuable nature. The unauthorized disclosure of data with this classification level will have noticeable effects and cause serious damage to national security. This classification is used for all data between secret and sensitive but unclassified classifications. Confidential This level of government/military data classification is used for data that is for internal use or for office use only (FOUO). Often this data classification is used to protect information that could violate the privacy rights of individuals. This is not technically a classification label; instead, it is a marking or label used to indicate use or management. Sensitive But Unclassified (SBU) This level of government/military data classification is used for data that is neither sensitive nor classified. The disclosure of this type of data does not compromise confidentiality or cause any noticeable damage. This is not technically a classification label; instead, it is a marking or label used to indicate use or management. Unclassified The easy way to remember the names of the five levels of the government or military data classification scheme, U.S. Can Stop Terrorism. Top Secret Secret Confidential Sensitive But unclassified Unclassified Four common or possible business classification levels Confidential Private Sensitive Public This common business/private sector data classification level is the highest level of classification. This is used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for a company if this type of data is disclosed. Sometimes the label proprietary is substituted. Sometimes proprietary data is considered a specific form of this type of information. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization. Confidential This common business/private sector data classification level is used for data that is of a private or personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if private data is disclosed. Private This common business/private sector data classification level is used for data that is more classified than public data. A negative impact could occur for the company if sensitive data is disclosed. Sensitive This common business/private sector data classification level is the lowest level of classification. This is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization. Public Relating to data classification or categorization, this is the formal assignment of responsibility to an individual or group. Ownership This role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. They sign off on all policy issues. Senior Manager This Role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. Security Professional This role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. They are typically a high-level manager who is ultimately responsible for data protection. Data Owner This role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. They perform all activities necessary to provide adequate protection for the CIA Triad (confidentiality, integrity, and availability) of data and to fulfill the requirements and responsibilities delegated from upper management. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification. Data Custodian This role is assigned to any person who has access to the secured system. Their access is tied to their work tasks and is limited so they have only enough access to perform the tasks necessary for their job position (the principle of least privilege). They are responsible for understanding and upholding the security policy of an organization by following prescribed operational procedures and operating within defined security parameters. User This role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. They may be assigned to a security professional or a trained user. The auditor produces compliance and effectiveness reports that are reviewed by the senior manager. Auditor One of the more widely used security control frameworks. It is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). Control Objectives for Information and Related Technology (COBIT ) Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management COBIT 5 (Five Key principles for governance and management of enterprise IT) Defense in depth is needed to ensure that which three mandatory activities are present in a security system? A. Prevention, response, and prosecution B. Response, collection of evidence, and prosecution C. Prevention, detection, and response D. Prevention, response, and management C. Prevention, detection, and response Explanation: Defense in depth is implemented in overlapping layers that provide the three elements needed to secure assets: prevention, detection, and response. T or F Functional requirements describe what a system should do. True T or F Assurance requirements describe how functional requirements should be implemented and tested. True Which of the following best represents the two types of IT security requirements? A. Functional and logical B. Logical and physical C. Functional and assurance D. Functional and physical Functional and assurance Explanation: Functional requirements describe what a system should do. Assurance requirements describe how functional requirements should be implemented and tested. Which of the following terms best describes the probability that a threat to an information system will materialize? A. Threat B. Vulnerability C. Hole D. Risk D) Risk Explanation: Risk involves looking at what is the consequence of a loss and the likelihood that this loss will occur. Which of the following statements is true? A. Controls are implemented to eliminate risk and eliminate the potential for loss. B. Controls are implemented to mitigate risk and reduce the potential for loss. C. Controls are implemented to eliminate risk and reduce the potential for loss. D. Controls are implemented to mitigate risk and eliminate the potential for loss. B. Controls are implemented to mitigate risk and reduce the potential for loss. Explanation: Controls mitigate a wide variety of information security risks and reduce loss. Security functional requirements describe which of the following? A. What a security system should do by design B. What controls a security system must implement C. Quality assurance description and testing approach D. How to implement the system A. What a security system should do by design Question : ISC2 was formed for which of the following purposes? A. Maintaining a Common Body of Knowledge for information security B. Certifying industry professionals and practitioners in an international IS standard C. Ensuring that credentials are maintained, primarily through continuing education D. All of these D. All of these Explanation: The goals of (ISC)2 are maintaining a Common Body of Knowledge for information security, certifying industry professionals and practitioners according to the international IS standard, administering training and certification examinations and ensuring that credentials are maintained, primarily through continuing education. Which of the following statements best describes the information security Common Body of Knowledge? A. The information security Common Body of Knowledge is a compilation and distillation of all security information collected internationally of relevance to information security professionals. B. The information security Common Body of Knowledge is a volume of books published by the ISC2. C. The information security Common Body of Knowledge is a reference list of books and other publications put together by practitioners in information security. D. The information security Common Body of Knowledge is an encyclopedia of information security principles, best A. The information security Common Body of Knowledge is a compilation and distillation of all security information collected internationally of relevance to information security professionals. 1. Information Security Governance and Risk Management 2. Security Architecture and Design 3. Business Continuity and Disaster Recovery Planning 4. Legal Regulations, Investigations, and Compliance 5. Physical (Environmental) Security 6. Operations Security 7. Access Control 8. Cryptography 9. Telecommunications and Network Security 10. Software Development Security The 10 Domains of the Information Security Common Body of Knowledge (CBK) The Operations Security domain includes which of the following? A. Mechanisms for secure access to a data center B.Identification of controls over hardware, media, and personnel C. Help-desk support for security incidents D. Consulting on IT projects B. Identification of controls over hardware, media, and personnel This CBK domain emphasizes the importance of a comprehensive security plan that includes security policies and procedures for protecting data and how it is administered. Topics include: Understanding and aligning security functions with the goals, mission, and objectives of the organization Understanding and applying security governance Understanding and applying concepts of confidentiality, integrity, and availability Developing and implementing security policies Managing the information life cycle (classification, categorization, and ownership) Managing third-party governance (on-site assessments, document exchange and review, process and policy reviews) Understanding and applying risk management concepts Managing personnel security Developing and managing security education, training, and awarenessManaging the security function (budgets, metrics, and so on) Information Security Governance and Risk Management This CBK domain discusses concepts, principles, structures, and standards used to design, implement, monitor, and secure operating systems, equipment, networks, applications, and other controls to enforce various levels of confidentiality, integrity, and availability.Topics include:Understanding the fundamental concepts of security models (confidentiality models, integrity models, and multilevel models)Identifying the components of information systems security evaluation models (such as Common Criteria)Understanding security capabilities of information systems (memory protection, trusted platform modules, and so on)Pinpointing the vulnerabilities of security architecturesRecognizing software and system vulnerabilities and threatsUnderstanding countermeasure principles (such as defense in depth) Security Architecture and Design This CBK domain demonstrates business continuity requirements, conducting business impact analysis, developing a recovery strategy, understanding the disaster recovery process, exercising, assessing, and maintaining the plans.Topics include:Understanding business continuity requirementsConducting business impact analysisDeveloping a recovery strategyUnderstanding the disaster recovery processExercising, assessing, and maintaining the plans Business Continuity and Disaster Recovery Planning This CBK domain covers the different targets of computer crimes, bodies of law, and the different types of laws and regulations as they apply to computer security.Topics include:Understanding legal issues that pertain to information security internationallyAdopting professional ethicsUnderstanding and supporting investigationsUnderstanding forensic proceduresFollowing compliance requirements and proceduresEnsuring security in contractual agreements and procurement processes (such as cloud computing, outsourcing, and vendor governance) Legal Regulations, Investigations, and Compliance This CBK domain includes securing the physical site using policies and procedures coupled with the appropriate alarm and intrusion detection systems, monitoring systems, and so forth.Topics include:Understanding site and facility design considerationsSupporting the implementation and operation of perimeter security (physical access controls and monitoring, keys, locks, safes, and so on)Supporting the implementation and operation of facilities security (badges, smart cards, PINs, and so on)Supporting the protection and securing of equipmentUnderstanding personnel privacy and safety (duress, travel, and so on) Physical (Environmental) Security This CBK domain covers the kind of operational procedures and tools that eliminate or reduce the capability to exploit critical information. It includes defining the controls over media, hardware, and operators with special systems privileges.Topics include:Understanding security operations concepts (need-to-know, separation of duties, and so on)Employing resource protectionManaging incident responseImplementing preventable measures against attacksImplementing and supporting patch and vulnerability managementUnderstanding change and configuration managementUnderstanding system resilience and fault-tolerant requirements Operations Security This CBK domain covers Who may access the system, and what can they do after they are signed on.Topics include:Understanding identification, authentication, authorization, and logging and monitoring techniques and technologiesUnderstanding access control attacksAssessing effectiveness of access controlsUnderstanding the identity and access provisioning life cycle Access Control This CBK domain contains the stuff of espionage and spy novels. It involves encrypting data so that authorized individuals may view the sensitive data and unauthorized individuals may not. Cryptography is a highly complex topic. The InfoSec specialist needs to understand the function but not necessarily the mechanics of cryptography.Topics include:Identifying the application and use of cryptographyComprehending the cryptographic life cycleUnderstanding encryption conceptsIdentifying key management processesUsing digital signaturesIdentifying nonrepudiationRecognizing the methods of cryptanalytic attacksUsing cryptography to maintain network securityUsing cryptography to maintain application securityUnderstanding the public key infrastructure (PKI)Identifying certificate-related issuesUnderstanding information-hiding alternatives Cryptography This CBK domain covers another technical segment of the CBK. Topics include not just network topologies, but also their weaknesses and defenses. Many of the operational tools, such as firewalls, fall into this domain, along with the following subject areas:Understanding secure network architecture and designSecuring network componentsEstablishing secure communications channels (VPN, SSL, and so on)Understanding network attacks (denial of service, spoofing, and so on) Telecommunications and Network Security This CBK domain focuses on sound and secure application development techniques. This domain requires a good understanding of the controls needed for the software development life cycle (SDLC), and how they're applied during each phase. Software Development Security The Access Control domain includes which of the following?A. A collection of mechanisms to create secure architectures for asset protectionB. Instructions on how to install perimeter door securityC. A methodology for applications developmentD. A methodology for secure data center operations A. A collection of mechanisms to create secure architectures for asset protection Explanation: Access Control Systems and Methodology domain includes understanding identification, authentication, authorization, and logging and monitoring techniques and technologies, understanding access control attacks, assessing effectiveness of access controls and understanding the identity and access provisioning life cycle. People more interested in certifying themselves as security experts in a business context should consider preparing for which of the following certifications? A. GIAC B. CISA C. ISSAP D. SSCP B. CISA Explanation: The subject areas of the CISA focuses more on security with business procedures than technology. A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. security policy Regulatory, Advisory, and Informative. Three overall categories of security policies This category of a security policy is required whenever industry or legal standards are applicable to your organization. This policy discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance. Regulatory policy This category of a security policy discusses behaviors and activities that are acceptable and defines consequences of violations. It explains senior management's desires for security and compliance within an organization. Most policies are in this category. Advisory policy This category of a security policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers. It provides support, research, or background information relevant to the specific elements of the overall policy. Information policy Security standards are the next level below what? Security policies T or F Tasks and responsibilities in regards to developing a security policy should not be assigned to an individual person, but rather to a job function or role. True A security policy does not define who is to do what but rather defines what must be done by the various roles within the security infrastructure. Then these defined security roles are assigned to individuals as a job description or an assigned work task. This security policy is a commonly produced document that exists as part of the overall security documentation infrastructure. The use of this policy is specifically designed to assign security roles within the organization as well as ensure the responsibilities tied to those roles. This policy defines a level of acceptable performance and expectation of behavior and activity. Failure to comply with the policy may result in job action warnings, penalties, or termination. Acceptable Use Policy Security baselines are below what? Security standards Defines a minimum level of security that every system throughout the organization must meet. All systems not complying with this tactical procedure should be taken out of production until they can be brought up to the baseline. This procedure establishes a common foundational secure state on which all additional and more stringent security measures can be built. It is usually system specific and often refer to an industry or government standard, like the Trusted Computer System Evaluation Criteria (TCSEC) or Information Technology Security Evaluation and Criteria (ITSEC) or NIST (National Institute of Standards and Technology) standards. Baseline Offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users. These elements of a security policy are flexible so they can be customized for each unique system or condition and can be used in the creation of new procedures. They state which security mechanisms should be deployed instead of prescribing a specific product or control and detailing configuration settings. They outline methodologies, include suggested actions, and are not compulsory. Guidelines The final element of the formalized security policy structure Procedures A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. It could discuss the entire system deployment operation or focus on a single product or aspect, such as deploying a firewall or updating virus definitions. In most cases, these are system and software specific. Procedures a.k.a. standard operating procedure (SOP) T or F Threat modeling is the security process where potential threats are identified, categorized, and analyzed. True Threat modeling identifies the potential harm, the probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat. What is SD3+C? Secure by Design, Secure by Default, Secure in Deployment and Communication What are the two goals of SD3+C? To reduce the number of security-related design and coding defectsTo reduce the severity of any remaining defects This type of threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. proactive approach This method is based on predicting threats and designing in specific defenses during the coding and crafting process, rather than relying on post-deployment updates and patches. This type of threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. reactive approach This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing. Although these processes are often useful in finding flaws and threats that need to be addressed, they unfortunately result in additional effort in coding to add in new countermeasures. Returning back to the design phase might produce better products in the long run, but starting over from scratch is massively expensive and causes significant time delays to product release. Thus, the shortcut is to craft updates or patches to be added to the product after deployment. A specialized dynamic testing technique that provides many different types of input to software to stress its limits and find previously undetected flaws. This method of testing software supplies invalid input to the software, either randomly generated or specially crafted to trigger known software vulnerabilities. The tester then monitors the performance of the application, watching for software crashes, buffer overflows, or other undesirable and/or unpredictable outcomes. Fuzz testing Focused on Assets, Focused on Attackers, Focused on Software Three structured approaches to accurately identify relevant threats. This method uses asset valuation results and attempts to identify threats to the valuable assets. For example, a specific asset can be evaluated to determine if it is susceptible to an attack. If the asset hosts data, access controls can be evaluated to identify threats that can bypass authentication or authorization mechanisms. Focused on Assets Some organizations are able to identify potential attackers and can identify the threats they represent based on the attacker's goals. For example, a government is often able to identify potential attackers and recognize what the attackers want to achieve. They can then use this knowledge to identify and protect their relevant assets. A challenge with this approach is that new attackers can appear that weren't previously considered a threat. Focused on Attackers A threat categorization scheme developed by Microsoft. STRIDE The meaning of the acronym STRIDE, the threat categorization scheme developed by Microsoft. Spoofing, Tampering, Repudiation, Information Disclosure, Denial of service (DoS), Elevation of privilege An attack with the goal of gaining access to a target system through the use of a falsified identity. This method can be used against Internet Protocol (IP) addresses, MAC addresses, usernames, system names, wireless network service set identifiers (SSIDs), email addresses, and many other types of logical identification. When an attacker lies about their identity as a valid or authorized entity, they are often able to bypass filters and blockades against unauthorized access. Once this type of attack has successfully granted an attacker access to a target system, subsequent attacks of abuse, data theft, or privilege escalation can be initiated Spoofing Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. This type of threat is used to falsify communications or alter static information. Such attacks are a violation of integrity as well as availability. Tampering The ability of a user or attacker to deny having performed an action or activity. Often attackers engage in these attacks in order to maintain plausible deniability so as not to be held accountable for their actions. These attacks can also result in innocent third parties being blamed for security violations. Repudiation The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. This could include customer identity information, financial information, or proprietary business operation details. This threat type can take advantage of system design and implementation mistakes, such as failing to remove debugging code, leaving sample applications and accounts, not sanitizing programming notes from client-visible content (such as comments in Hypertext Markup Language (HTML) documents), using hidden form fields, or allowing overly detailed error messages to be shown to users. Information disclosure An attack that attempts to prevent authorized use of a resource. This can be done through flaw exploitation, connection overloading, or traffic flooding. This type of threat does not necessarily result in full interruption to a resource; it could instead reduce throughput or introduce latency in order to hamper productive use of a resource. Although most of these attacks are temporary and last only as long as the attacker maintains the onslaught, there are some permanent attacks that use this threat technique. A permanent attack might involve the destruction of a dataset, the replacement of software with malicious alternatives, or forcing a firmware flash operation that could be interrupted or that installs faulty firmware. Any of these attacks would render a permanently damaged system that is not able to be restored to normal operation with a simple reboot or by waiting out the attackers. A full system repair and backup restoration would be required to recover from a permanent attack. Denial of service (DoS) An attack where a limited user account is transformed into an account with greater privileges, powers, and access. This might be accomplished through theft or exploitation of the credentials of a higher-level account, such as that of an administrator or root. It also might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account. Elevation of privilege T or F Although STRIDE is typically used to focus on application threats, it is applicable to other situations, such as network threats and host threats. True A threat modeling methodology. that uses a risk-centric approach. It aims at selecting or developing countermeasures in relation to the value of the assets to be protected. Process for Attack Simulation and Threat Analysis (PASTA) Stage I: Definition of the Objectives (DO) for the Analysis of Risks Stage II: Definition of the Technical Scope (DTS) Stage III: Application Decomposition and Analysis (ADA) Stage IV: Threat Analysis (TA) Stage V: Weakness and Vulnerability Analysis (WVA) Stage VI: Attack Modeling & Simulation (AMS) Stage VII: Risk Analysis & Management (RAM) The 7 stages of PASTA Each stage of PASTA has a specific list of objectives to achieve and deliverables to produce in order to complete the stage. A threat methodology which can be identified by the acronym (DREAD). Disaster, Reproducibility, Exploitibility, Affected Users, Discoverability also known as Trike Trike provides a method of performing a security audit in a reliable and repeatable procedure. It also provides a consistent framework for communication and collaboration among security workers. Trike is used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions. A threat modeling concept based on Agile project management and programming principles. The goal this methodology is to integrate threat and risk management into an Agile programming environment on a scalable basis. Visual, Agile, and Simple Threat (VAST) T or F Once an understanding has been gained in regard to the threats facing your development project or deployed infrastructure, the next step in threat modeling is to determine the potential attack concepts that could be realized. This is often accomplished through the creation of a diagram of the elements involved in a transaction along with indications of data flow and privilege boundaries True Once a diagram has been crafted, identify all of the technologies involved. This would include operating systems, applications (network service and client based), and protocols. Be specific as to the version numbers and update/patch level in use.Next, identify attacks that could be targeted at each element of the diagram. Keep in mind that all forms of attacks should be considered, including logical/technical, physical, and social. For example, be sure to include spoofing, tampering, and social engineering. This process will quickly lead you into the next phase of threat modeling: reduction analysis.